A researcher who found a critical vulnerability in Wormhole earned $10 million. Critical vulnerabilities in DeFi are leading to million-dollar payouts. The top white-hat hackers who hunt for vulnerabilities in decentralized protocols in Web3 are earning millions, overshadowing the $300,000 salary cap in traditional cybersecurity roles.
“Our leaderboard shows researchers are making millions per year, which is much higher compared to the typical cybersecurity salaries in the $150k-$300k range,” Mitchell Amador, co-founder and CEO of bug bounty platform Immunefi, told Cointelegraph.
In crypto, “white hats” refer to ethical hackers who are paid to disclose vulnerabilities in decentralized finance (DeFi) protocols. Unlike salaried corporate roles, these researchers select their own targets, set their own hours, and earn based on the impact of their findings.
So far, Immunefi has facilitated over $120 million in payouts across thousands of reports. Thirty researchers have already become millionaires.
“We protect over $180 billion in total value locked through our programs,” Amador said, adding that the platform offers rewards up to 10% for critical bugs. “These multimillion-dollar payouts reflect the fact that many protocols risk losing tens or hundreds of millions of dollars from a single vulnerability,” he stated.
$10 Million Bug Bounty Saved Billions
The largest single payout to a Web3 white-hat was $10 million, awarded to the hacker who found a deadly bug in the Wormhole cross-chain bridge. Amador said this vulnerability could have evaporated billions.
Despite this vulnerability being disclosed, Wormhole was later hit by a $321 million attack on its Solana bridge in 2022, which was the largest crypto hack of the year. In February 2023, Web3 infrastructure firm Jump Crypto and Oasis.app staged a “counter-exploit” against the Wormhole protocol hacker, recovering a total of $225 million.
Amador explained that critical vulnerabilities yield the largest rewards. Top researchers earned between $1 million and $14 million, depending on the severity and scope of their findings. “These are the 100x hackers who can find vulnerabilities that others miss,” he said.
While the early years of DeFi were riddled with smart contract bugs, 2025 saw a rise in “non-code” attacks, such as social engineering, compromised keys, and operational security vulnerabilities. Despite this shift, bridges remain the most lucrative target due to their cross-chain complexities and the large sums they secure.
Patterns have emerged regarding which types of projects are most frequently breached. “DeFi protocols that manage significant TVL and don’t have strong bounty programs are most at risk,” Amador said. He warned that early-stage teams rushing to market without security measures, as well as complacent established players, are at high risk.
Crypto Hackers Stole $163 Million in August
Crypto-related hacks and scams resulted in $163 million in losses in August, Cointelegraph reported. This marks a 15% increase from the $142 million recorded in July. Despite the increase in losses, overall incidents trended downwards, with only 16 attacks recorded compared to 20 in June.
The majority of the losses stemmed from two major incidents: a $91 million social engineering scam targeting a Bitcoin investor and a $50 million breach of the Turkish exchange Btcturk.
Do you think these massive bug bounties are a sustainable and effective model for securing the rapidly evolving Web3 space, or is more regulation needed?
You Might Also Like;
- We Selected 10 Series Similar to Stranger Things for Those Who Love It
- Where and How is Silver Used in Electric Vehicles?
- Hyundai Unveils Its Multi-Purpose Wheeled Robot
Follow us on TWITTER (X) and be instantly informed about the latest developments…
